msin (OP)
Legendary
 Offline
Activity: 1470
Merit: 1004
|
 |
December 16, 2011, 04:53:10 PM |
|
Yep, I agree with you, I have learned my lesson and will definitely use a Yubikey. I will not use MtGox as they have many security flaws in their system. I've never had my bank accounts, equity accounts, or even email accounts hacked, because of basic security precautions taken by those companies. Would be really easy for MtGox to avoid issues like this with a simple email confirmation.
AFAIK, MtGox is the only one offering the Yubikey option (someone correct me if I'm wrong, or if any other exchange has two factor authentication). I would agree that there are simple things MtGox could do to improve security - for example, like requiring a 2nd password for withdrawal above a limit, or making withdrawals wait a little while to give you time to blow the whistle, or requiring a PGP signature to withdraw. On the other hand, if you have a compromised machine, or a compromised e-mail account, none of this will be much help. They should go the route of a pin requirement for any actions. The thing that really bothers me is that you can change your account email within MtGox without any confirmation whatsoever. That's what really screwed my over, I was unable to put a stop to any actions. |
|
|
|
|
|
|
|
|
|
|
|
The Bitcoin network protocol was designed to be extremely flexible. It can be used to create timed transactions, escrow transactions, multi-signature transactions, etc. The current features of the client only hint at what will be possible in the future.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1136
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 16, 2011, 05:06:25 PM |
|
They should go the route of a pin requirement for any actions. The thing that really bothers me is that you can change your account email within MtGox without any confirmation whatsoever. That's what really screwed my over, I was unable to put a stop to any actions.
Even if account e-mail required confirmation, withdrawal does not. Withdrawals are instant. By the time you received the confirmation e-mail, it's already too late. If withdrawal requires a PIN, and you have a keylogger, the attacker would also have your PIN. |
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
phelix
Legendary
Offline
Activity: 1708
Merit: 1019
|
|
December 16, 2011, 07:04:02 PM |
|
They should go the route of a pin requirement for any actions. The thing that really bothers me is that you can change your account email within MtGox without any confirmation whatsoever. That's what really screwed my over, I was unable to put a stop to any actions.
confirmed - that really seems like an invitation to be goxxed. why the heck would they do that? also I would like to see an option for an email confirmation for all withdrawals |
|
|
|
|
mcorlett
Donator
Sr. Member
Offline
Activity: 308
Merit: 250
|
|
December 16, 2011, 07:43:55 PM |
|
They should go the route of a pin requirement for any actions. The thing that really bothers me is that you can change your account email within MtGox without any confirmation whatsoever. That's what really screwed my over, I was unable to put a stop to any actions.
confirmed - that really seems like an invitation to be goxxed. why the heck would they do that? also I would like to see an option for an email confirmation for all withdrawals How about disabling withdrawals for new IP addresses until confirmed by email? |
|
|
|
|
interlagos
|
|
December 16, 2011, 08:26:48 PM |
|
Msin, what email service did you use?
If email companies have access to so many details about your account then they can actually request password change first then get into your account do whatever they want and then delete certain incoming emails to make it look like it was an attacker.
We need to start thinking about decentralized email service!
|
|
|
|
|
|
nmat
|
|
December 16, 2011, 08:38:17 PM |
|
AFAIK, MtGox is the only one offering the Yubikey option (someone correct me if I'm wrong, or if any other exchange has two factor authentication).
Both TradeHill and CampBX have free 2 factor authentication with an SMS/phone call to your cellphone. |
|
|
|
|
casascius
Mike Caldwell
VIP
Legendary
Offline
Activity: 1386
Merit: 1136
The Casascius 1oz 10BTC Silver Round (w/ Gold B)
|
|
December 16, 2011, 09:27:34 PM |
|
AFAIK, MtGox is the only one offering the Yubikey option (someone correct me if I'm wrong, or if any other exchange has two factor authentication).
Both TradeHill and CampBX have free 2 factor authentication with an SMS/phone call to your cellphone. That's excellent... sort of like how Chase and PayPal have the same thing. |
Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.
|
|
|
|
onelineproof
|
|
December 16, 2011, 09:43:57 PM |
|
@msin
Did you have browser windows/tabs from other websites open in the same time as when you were logged in to Mt Gox?
I always make sure to open Mt Gox in a new Incognito Chromium Window, which basically creates an independent and private browsing session that I use just for Mt Gox. Otherwise, I think you can have an attack from a rogue website looking for things like a Mt Gox cookie for your current session.
|
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 17, 2011, 11:11:45 PM |
|
Msin, what email service did you use?
If email companies have access to so many details about your account then they can actually request password change first then get into your account do whatever they want and then delete certain incoming emails to make it look like it was an attacker.
We need to start thinking about decentralized email service!
I use Gmail, but it has nothing to do with my emai, it's my MtGox account that was hacked. Still nothing from MtGox, they refuse to respond to me. |
|
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 17, 2011, 11:12:56 PM |
|
Did you click a link in an "Mt Gox" email? Or basically, were you phished?
They have been warning about phishing emails for months.
Nope, I wasn't phished, that's what's so frustrating, my account was just hacked and MtGox didn't do anything to stop it. |
|
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 17, 2011, 11:15:11 PM |
|
They should go the route of a pin requirement for any actions. The thing that really bothers me is that you can change your account email within MtGox without any confirmation whatsoever. That's what really screwed my over, I was unable to put a stop to any actions.
confirmed - that really seems like an invitation to be goxxed. why the heck would they do that? also I would like to see an option for an email confirmation for all withdrawals Couldn't agree more, my email was allowed to be changed once the hacker was in my account, then they could do whatever they wanted. So lame. |
|
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 17, 2011, 11:16:02 PM |
|
AFAIK, MtGox is the only one offering the Yubikey option (someone correct me if I'm wrong, or if any other exchange has two factor authentication).
Both TradeHill and CampBX have free 2 factor authentication with an SMS/phone call to your cellphone. Thanks, I'll probably be using TradeHill from now on. |
|
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 17, 2011, 11:17:03 PM |
|
@msin
Did you have browser windows/tabs from other websites open in the same time as when you were logged in to Mt Gox?
I always make sure to open Mt Gox in a new Incognito Chromium Window, which basically creates an independent and private browsing session that I use just for Mt Gox. Otherwise, I think you can have an attack from a rogue website looking for things like a Mt Gox cookie for your current session.
You know, I really don't remember, I could have had additional windows open. I'll definitely keep that in mind. |
|
|
|
|
msin (OP)
Legendary
Offline
Activity: 1470
Merit: 1004
|
|
December 17, 2011, 11:24:00 PM |
|
I think the overall point I'm trying to make is that BTC will never be mainstream if the #1 exchange has so many security holes, and money just disappears. Plus, the customer service at MTGox is complete shit.
|
|
|
|
|
|
nmat
|
|
December 18, 2011, 12:48:51 AM
Last edit: December 18, 2011, 02:32:40 AM by nmat |
|
I think the overall point I'm trying to make is that BTC will never be mainstream if the #1 exchange has so many security holes, and money just disappears. Plus, the customer service at MTGox is complete shit.
The #1 exchange is chosen by people. If you are looking into alternatives I recommend CampBX for US users. They have excellent support. Personally I never had any problem with MtGox, but I don't use it for the same reasons I wouldn't mine at Deepbit: they have a huge market share. |
|
|
|
|
|
PatrickHarnett
|
|
December 18, 2011, 08:39:24 AM |
|
Just doing some hunting - is there a "terms of use" for Gox? I couldn't see it. Pretty crummy for the so called #1 exchange.
|
|
|
|
|
cbeast
Donator
Legendary
Offline
Activity: 1736
Merit: 1006
Let's talk governance, lipstick, and pigs.
|
|
December 18, 2011, 09:37:18 AM
Last edit: December 18, 2011, 09:57:44 AM by cbeast |
|
Just doing some hunting - is there a "terms of use" for Gox? I couldn't see it. Pretty crummy for the so called #1 exchange.
If it's based in Japan, then what good would legalese do for you? Use at your own risk until something better comes along. There's lots of ideas floating around, but mtgox is here and now. I think this is a photo from 2006 of the CEO and trainees (looks like spring break) when Mutum Sigillum (the USA counterpart where your money actually goes) started: MUTUM SIGILLUM LLC — 2915 OGLETOWN ROAD, # 1085 — NEWARK, DE 19713 — U.S.A.  |
Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
|
|
|
|
PatrickHarnett
|
|
December 19, 2011, 01:39:41 AM |
|
Just doing some hunting - is there a "terms of use" for Gox? I couldn't see it. Pretty crummy for the so called #1 exchange.
If it's based in Japan, then what good would legalese do for you? Use at your own risk until something better comes along. There's lots of ideas floating around, but mtgox is here and now. Legalese would be fine, even if in Japanese. I will not be back there until the end of March, but that doesn't matter. I know where they are located. |
|
|
|
|
|
